Bank Risk Management and Risk Culture

Bank Risk Management:
Focusing on Risk Culture as well as formal risk
management frameworks
Professor Moorad Choudhry
Faculty BTRM
27th June 2023

2
© 2023 BTRM / Choudhry LinkedIn 2023
Agenda
 Acting on and making real the bank's formal risk management policies
 Embedding risk management processes into the firm’s daily practice
through an effective risk culture
 Case studies and "lessons learned" from events in 2022 and 2023
 Recommendations for ensuring effective risk culture
This is the
challenging part…

3
Typical description of what a bank might have in its
annual report
 Risk culture
 The bank understands the need for an open and clear risk
management approach and the risk culture in the bank is designed to
facilitate:
 Strong risk awareness across the organisation
 A reward structure that aligns with risk appetite and reinforces the risk
management culture
 Risk-aware decision making in line with strategic goals
 Clarity in roles and responsibilities within the three lines of defence, and
 Risks being identified, quantified, managed and reported in timely fashion
 All employees are provided with risk training as part of their induction
and have on-going refresher training
 Risk appetite
 Etc
 Etc
It is straightforward to write
this in an Annual Report,
ICAAP, website or other
formal communication…
…the challenge is how to
ensure it actually
happens

4
Typical description of what a bank might have in its
annual report
 Risk culture
 The bank understands the need for an open and clear risk
management approach and the risk culture in the bank is designed to
facilitate:
 Strong risk awareness across the organisation
 A reward structure that aligns with risk appetite and reinforces the risk
management culture
 Risk-aware decision making in line with strategic goals
 Clarity in roles and responsibilities within the three lines of defence, and
 Risks being identified, quantified, managed and reported in timely fashion
 All employees are provided with risk training as part of their induction
and have on-going refresher training
 Risk appetite
 Etc
 Etc
How do we
ensure this?
Credit Suisse
certainly had all
this written
down… Yet failed to
ensure this
(see later
slides)…
Online training generally
allows multiple attempts
to pass tests that seek to
demonstrate this…it’s
often a “tick-box” process

5
“Risk culture”
 This lecture title starts out with “How to focus on risk culture…”
 But what is “risk culture” in a bank?
 What is “culture” in a bank?
 What is “culture”?

6
Dictionary first…
“Risk culture is a set of norms, attitudes and behaviours related to awareness,
management and controls of risks in a bank. It shapes management's and employees'
day-to-day decisions and has an impact on the risks they take.”
Google Dictionary, 15 Feb 2023

I prefer a simpler definition…

8
The Principles of Banking, 2nd Edition (Wiley 2022)
….
Extract from the “Afterword” (pages 771-773)
From the First Edition:
“The risk management principles we have discussed in this book are identical
whichever way one looks at them: be it from a shareholder-value perspective,
hedging or fair-value perspective, regulatory requirement perspective or societal
well-being perspective. It is important for bank management to incorporate them into
their strategy and practice, even if they think that other banks are ignoring them.”
And from the Second Edition:
“These words remain relevant in 2022, and I daresay will be in 2032 or 2122. But
what I have learned since the first edition was published is this: it is easy, very easy,
to write these things in a Word or PowerPoint file. It is even easier to say them, and
easier still to stand up and present them to an audience, because no-one will
disagree with you. The challenge lies in actually doing them. Making them happen.
Making them reality. That is the problem that bank managers face – how to make
real, in practice and in their day-today business, what is written down in policy
statements and governance frameworks.”
This is “Risk Culture”: actually doing what it is you say to your
stakeholders that you are doing
So what are the “things” that we say we’re doing?

10
Enterprise risk management
 Enterprise risk management (ERM) is defined slightly differently in
different publications but in essence it describes an integrated, single
approach to “risk management” as a whole that places all risks associated
with the firm’s operation into one single taxonomy – this avoids the “silo”
mentality and approach of previous methodologies
 ERM concept is not new, it’s at least as old as the current century!
 Risk in a bank is risk, irrespective of the specific type and where it
originates from
 Risk is the effect of uncertainty on objectives
--- ISO 31000: Risk Management Principles and Guidelines 2018
 ERM uses one view of risk, describing, analysing and managing all risks
and related controls in a similar, consistent manner. The “integrated”
approach is ensured via a single risk taxonomy, allocated as a specific
responsibility.

11
ERM…
 A generic ERM framework can be summarised as follows:
 The ERM framework should be defined and used as the basis of all risk
management processes across the bank.
 ERM process would include Governance, Processes and Systems, People and
Culture, Escalation / Reporting / Response and Continuous Improvement.
 ERM Processes and Systems should be:
 comprehensive and cover all aspects of a risk’s lifecycle
 cover all risk and compliance related processes in the bank
 be integrated with the central risk libraries and with each other
 be consistent yet be tailored to the specifics of each risk type
 provide a firm-wide view using one single reporting platform
 be flexible and adaptable so
 the processes can grow with the firm
 users can tailor the system capabilities and experience to their specific needs
while maintaining the integrity of the ERM principles.

12
ERM…
 Protecht Group uses the following diagram to
illustrate the ERM framework
 It describes the constituent parts as:
 The Roof – Governance. This covers the
mechanisms and structures that provide overall
governance of ERM, including Roles,
Responsibilities of Committees, the “Three
Lines” model, and Risk Appetite
 The Foundations - People and Culture
 The Rooms. Risk Management Processes
and Systems This covers the core risk
management processes, including but not
limited to, Risk Assessment, Risk Metrics,
Incident Management and Compliance.
 The Right Hand Wall – Reporting and
Response. This includes Escalations and
workflows
 The Left Hand Wall – Continuous
Improvement. This covers Issues and Actions
Management, “Root Cause Analysis” and Risk
Treatment
© ProtechtGroup.com 2022

13
ERM…
 A robust ERM framework will enable risk management processes and
systems that:
 cover the full lifecycle of risk from potential risks as yet not “occurred” all the way
to a risk incident having happened
 cover the full range of enterprise risks (we cover this later in the “Risk Register”)
 are integrated with each other and with the central register or taxonomy of risks
and controls
 enable tailoring of process and content dependent on the specific risk type being
managed.
 The way that risk exposure is measured and reported is important
 There are many different integrated risk dashboards that can be observed in
different banks
 Whichever template is used, it is important for the user to see an integrated
view of the ERM framework information, allowing them to focus on
mitigation as well as on remediating actions and audit findings

14
ERM in banks
 In most jurisdictions, banks are required to develop and implement an
“Enterprise Wide Risk Management” (ERM) framework that is approved
by the Board of Directors
 Author’s definition: In essence, for a bank this means having a risk
management framework (RMF) that enables the definition,
measurement, monitoring, mitigation and management to calibrated
risk appetites of all the risk exposures that it faces in the ordinary
course of business, as well as exposures that might impact it during
any unforeseen stress event.
 The RMF ideally should
 Establish risk tolerance and risk limits for all risk types, ensuring they are
embedded in the business strategy and day-to-day operating processes;
 Define the organisational structures and tools that will be applied to identify,
analyse, evaluate, manage and monitor all risk types;
 Enable provision of risk data aggregation and reporting to specific
responsible persons

15
My orthodox Risk Management Framework
 This incorporates:
 Committee structure and authority
 Board and Board Risk + ALCO
Committees
 Mandate + delegated authorities
 Holistic approach
 Risk Management philosophy and
 key principles
 Link to strategic planning capital +
funding frameworks
 Risk Culture, Values and Behaviours
 “Tone from the top”
 Transparency, reporting and
disclosure
 A Risk Appetite Statement
 All Key Risks identified and defined
 Quantitative Risk Bearing capacity
 Risk Appetite and firm Limits
 Risk Framework + Key Risk Policies
Governance and Organisation
(Committees)
Strategy and Business Plan
(Stakeholder Objectives, Strategic Objectives, Risk Capacity, Culture and Values
High Level Risk Taxonomy and Risk Appetite
(Quantitative and Qualitative)
Risk Appetite Statement
(Policies, Protocls and Limits (KRIs, KPIs and EWIs))
Procedures and Processes
Assurance: Reporting and Stress Testing
Risk and Control
Registers
(Granular Risk
Taxonomy)
Risk Indicators (Lower
level metrics, Analysis
and Risk Drivers)
Risk and Compliance
Reviews (Action
Tracking)
Risk Event Reporting
and Internal Loss
Management
Regulatory Compliance
(Oversight, Horizon
Scanning and Relationship
Management
Credit Quality
Assurance
Source: “The Principles of Banking, 2nd edition (2022) Figure 18.1

16
 The RMF is observed and implemented via the following principles:
 Governance is maintained through the effective delegation of authority from the Board
down through the committee and management hierarchy to specific named individuals;
 Risk management is based on the Three / Four Lines of Defence model, in which the
business management owns and reports on the risks assumed throughout the bank and is
responsible for ensuring that these are managed and controlled on a day-to-day basis;
 The Board and business management are engaged in and promote a culture in
which risks are identified, assessed and reported in an open, transparent and
objective manner;
 2LoD (the Risk function) is the independent oversight, review and challenge function of
the banks; it also provides support and advice on the management of risk across the
business;
 The Risk Appetite Framework (RAF) is the approach and process through which the Risk
Appetite Statement (RAS) of the bank is established, communicated and implemented.
 The RAF aims to (i) define how the bank’s executives monitor compliance with the RAS on
a day-to-day basis (ii) document the escalation and reporting procedures to be followed if
there is a potential or actual breach of the RAS; (iii) demonstrate how the RAS is
embedded within the business;
Risk management framework…

17
Three / Four lines of defence
1st LoD 2nd LoD 3rd / 4th LoD
The Business Risk & Compliance Internal and External Audit
Oversight The Board supported by the
Executive Committee and
ALCO
The Board Risk sub-
committee supported by
ALCO and the Executive
Credit Committee
The Board Audit sub-
committee supported by
Internal Audit and the External
Auditors
Function Ownership, responsibility
and accountability for risks
and controls
Monitors and facilitates the
implementation of effective
risk management. Provides
oversight and challenge,
support, and advice
Provides assurance of (i) 1LoD
and 2LoD risk management (ii)
regulatory interpretation and
reporting
Embedding The Board, via the CEO
delegates to business line
heads day-to-day
responsibility for risk
management, regulatory
compliance, internal control
and conduct in running their
business areas
The Board Risk sub-
committee delegates to the
Chief Risk Officer day-to-day
responsibility for oversight
and challenge to provide
assurance on the
management of risk
Internal Audit and External
Audit execute independent
reviews to test that controls
are working effectively and
remain up-to-date within
current regulation
Essential role of the
Compliance function as
part of the ERM
framework

18
Capturing all bank-wide risks
Level 1 Risk 1st LoD Risk Owners 2nd LoD Risk
Owner
Definition
CREDIT MD’s of each
Business area/MD
Sales & Marketing
CRO Risk of loss from the failure of a customer to meet its obligations to settle outstanding amounts, including Concentration Risk.
OPERATIONAL COO, Head of HR,
Legal & CFO
The risk of loss resulting from inadequate or failed internal processes, people, or from external events, including legal risk and
supplier risk.
IT CTO Loss of technology services due to loss of data, system or data centre including, where applicable, failure of back up processes and/or
a third party to restore services.
COMPLIANCE MLRO The risk of material financial costs (including rectification and remediation costs), legal and regulatory sanctions, or reputational
damage the bank may suffer as a result of its failure to comply with relevant laws, regulations, principles, rules, standards and codes
of conduct applicable to its activities, in letter and spirit. Within Compliance,
• Conduct is the risk that actions undertaken by the bank and / or its staff could lead to customer detriment, employee detriment
(outside of appetite), inappropriate control of financial crime and related activity or negative impact on market stability.
• Prudential Compliance is the risk of material loss or liability, legal or regulatory sanctions, or reputational damage arising from
breaching existing relevant prudential policy, laws, or regulations, in any jurisdiction in which the entity operates.
NON TRADED
MARKET
Head of Treasury The Market Risk arising in Non Trading assets and liabilities.
CAPITAL &
STRESS TESTING
CFO The risk of not being able to conduct business in base or stress conditions due to insufficient qualifying capital as well as the failure to
assess, monitor, plan and manage capital adequacy requirements.
FUNDING &
LIQUIDITY
Head of Treasury The risk that the company is not able to meet its liabilities as they fall due, or has insufficient resources to repay withdrawals.
REPUTATIONAL ExCo members The risk of brand damage and/or financial cost due to the failure to meet stakeholder expectations of the company’s conduct and/or
performance.
BUSINESS CFO/ (+MD’s of Biz
areas/ S&M)
The risk that the company suffers losses as a result of adverse variance in its revenues and/or costs relative to its business plan and
strategy.
STRATEGIC CEO (Board) The risk that the company will make inappropriate strategic choices, is unable to successfully implement selected strategies, or
changes arise which invalidate strategies. This includes all divestment programme related risks.
CLIMATE CHANGE CEO The risk of negative impact on the balance sheet arising out of physical and transitional risk of climate change
Example of risk capture within the ERM framework (financial risks and non-
financial risks) from the previous decade…

19
Capturing all bank-wide risks…
 The Risk Register in the RMF should be reviewed frequently to ensure
it remains up-to-date and fit-for-purpose at all times, in order to capture
all risks and also up-and-coming risks
 For example, to the register shown in previous slide we would now wish
to add (and assign specific 1LoD and 2LoD responsibilities for) the
following:
 Operational resilience
 Regulatory reporting
 Third-party / outsourcing
 Cyber crime
 Etc

20
Aligning business development and risk
strategy
 We have to ensure the RMF remains a “Living Document”…
 The key elements required that help further with maintaining an always
current RMF are:
 Embedding the RMF, RAF and RAS firmly within the business
 At least annual review of the Risk Register and RAS, and more frequently
whenever there is (i) external risk events (ii) significant internal
developments
 Regular governance effectiveness reviews (genuine review with results
acted upon, not tick-box questionnaire forms
 Practising response to stress events through simulation exercises (such as
the Recovery Plan “Firedrill” exercise)
 We will address some of these issues later in the presentation

21
Risk strategy
 Risk strategy includes that the bank has an established RMF in place
which ensures that it :
 operates with integrity within the marketplace.
 operates within Board approved risk appetite; and
 complies with regulatory requirements and meets the expectations of the
[national supervision authority] PRA and FCA
 has in place a Board and executive that understands the risk exposures that
the bank faces and has the requisite technical expertise to manages these
exposures during times of market stress
 While at any time the RMF should be fit for purpose today, the risk
management of any entity will change over a period in line with the
evolution of its risks.
 This highlights the importance of establishing a risk management
strategy, which will be subject to regular review, to ensure that the
bank maintains an appropriate approach to risk management at all
times

22
Risk strategy…an ongoing process
 Risk strategy setting and finalisation should be undertaken principally
by 1st LoD risk owners, with input and oversight provided by the 2nd
LoD function, to provide:
 a bank-wide view of the current risk landscape;
 where the bank thinks it needs to be in 12-18-24 months;
 and the actions that it perceives will need to be taken in 12-18 months.
 The key outcome of the risk management strategy process is a
series of actions which the businesses have agreed will be
required to ensure that the management of risk remains fit for
purpose.

23
Risk strategy…Example of output of risk strategy
process: Building in adaptability and resilience
 Risk culture and governance
 At Board level risk management and control is given adequate time….Board
and its members take their regulatory and fiduciary responsibilities seriously
 Ensure at Board level there is an appetite to ensure that the risk framework
“front runs” the business growth and agenda
 At Executive level the picture should be similar, with the “C-suite” reflecting
the same approach
 Subject the risk culture to significant internal and external scrutiny, formally
via Internal Audit and by external independent review

24
Updating the risk register
 The most effective risk register is one that identifies risk types before
the bank is actually exposed to them
 This implies the powers of a clairvoyant…
 …but compared to the register we showed earlier, today we would
expect to add a few more
 See checklist overleaf…

25
 EXAMPLE
 Extract of updated risk register
showing latest additional risk types
and selection of mitigating
actions….
 Clear individual ownership and
appropriate governance committee
is noted
 The risk types noted earlier remain
important!
 And today…
 “SOCIAL MEDIA RISK”…
 Risk of negative and/or fake news
on social media going viral and
triggering an instant bank run…
 …with funds accessed via
smartphones instantly
Risk Area Action Proposed Responsible Committee
Regulatory Reporting
Define regulatory reporting as a
discreet risk appetite, including a
risk appetite statement limits and
calibration.
CRO BRC
Third Party
Train new technology analyst
resource in 3rd
party
management
CTO Exec
Operational
Resilience
Ensure BCP training also
includes operational resilience
training
CTO ERC
Cyber
Assess the bank against
CQUEST
CTO Board
Operational
Resilience
Develop the operational
resilience database and
dashboard
CTO Exec
Data
Information Security Manager to
become Deputy Data Protection
Officer (DDPO)
DPO Exec
Financial Crime
Implementation of TruNarrative
AML system
CCO ERC
Climate Change
Clear plan for ‘green’ product
development
CCO ExCo
Climate Change
Develop the capability for
financial risk assessment and
scenario testing which will
include consideration buying in of
benchmarking data
CFO BRC
Data
Undertake an internal review to
ensure that all personal data is
stored securely on the network
with no data held on local
devices
CTO ERC
Conduct
Update customer harm risk
assessment for products and
services
CRO BRC
Climate Change
Customer Engagement plan on
emissions impact and
transitioning to net zero
CCO BRC
Cyber
Deliver a secure development
framework
CTO ERC
Climate Change
Undertake a review of our
position against emerging best
practice
CCO BRC
Cyber
Commission a 2LoD review of
the cyber risk and control
framework
CRO ERC
Review and update Conduct
Risk Dashboard and reporting
once MI starts following from
Deposits and Lending
CRO ERC
Conduct

26
Embedding RAS throughout the bank
 Articulating and communicating the bank’s risk appetite
 The RAS needs to be articulated in a manner that employees will understand and
can use to measure risk against. This can be achieved via the following methods:
 The board-level RAS
 The Risk Appetite Policy Statement, part of the RMF and the ERM framework
 A series of “Mini” RAS for use in Group or multi-entity banking groups, for use at
subsidiary/divisional level. These are They are tailored statements for each
subsidiary/division based on standardised group RAS.
 Code of Conduct. The code of conduct should clearly articulate boundaries for staff
behaviour, linked to risk appetite.
 Key Risk Indicators (KRIs). The specific metrics (one or more for each risk type in the
risk register) and managed to calibrated quantitative limits
 Risk Matrices. The traditional risk matrix, where risk is measured using a qualitative
assessment of likelihood and consequence, is often used as a basis of setting risk
boundaries and evaluating Risk Appetite:
 Policies, Standards and Guidelines. Internal policies, standards and guidelines are a
common way to communicate risk appetite in a meaningful way so that staff understand
the boundaries within which they need to operate.

27
Communicating the overall risk position
 As part of embedding and operationalising the RAS, there are a
number of high level summary risk dashboards that can and are used in
banks
 There is more than one solution...
 …ideally, the reporting mechanism will be
 Succinct
 Accessible
 Give the complete picture in one or two slides
 Be forward looking
 We show two examples of high-level risk dashboards for senior
executives distribution

29
Example 1-pager
Category Risk Appetite Dec Jan Feb
Regulatory
Capital
Liquidity
IRRBB
Regulatory Reporting
Credit Credit
Operational
Operational Resilience
Third Parties
Cyber
Data
Operational
Strategic
Strategic
Climate change
Group
Conduct
Conduct
Compliance
Financial Crime

30
1-pager for the balance sheet (ALCO > Board)
ChoudWest Bank
ABC Bank
Bank of Surrey
© Dean Carter, former Treasurer,
Recognise Bank Ltd

32
Risk culture
 “Risk culture” has been defined in a number of ways and there are indeed
a number of ways of looking at it
 Speaking personally, the author would simply define it as always…
 “Doing the right thing”
 “Do good work”
 …and leave it at that. However there is much formal literature written on
this topic so we need to cover it in more than one sentence!
 To us, risk culture is part of the firm’s culture, so let’s define that first
 A firm’s “culture” is the beliefs and attitudes about something that people in a
particular group or organisation share, and/or
 a system of shared values (that define what is important) and norms that define
appropriate attitudes and behaviours for organisational members (how to feel
and behave)
 There are some common beliefs and traits that run thru these…

33
Risk culture…
 What culture is
 Culture is made up of beliefs, values, expectations, practices and
assumptions. It drives, and is driven by, the way the firm’s employees think.
 What culture is driven by:
 Culture is driven and influenced by many factors including, but not limited to:
 Behaviours of our leaders “tone from the top”,
 Existing accepted practices within the organisation
 Culture of our people brought in from outside of the organisation,
 Practiced and lived Vision, Mission and Ethos of the organisation
 What culture leads to: Culture affects the way people and groups make
decisions and interact with each other, with clients, and with all
stakeholders
 The author will stick to one conduct mantra that sums up “culture”:
 “Ethics is doing the right thing when no-one is looking”

34
Risk culture…and conduct
 Risk culture is a subset of, and not separate to, firm culture. It is the impact of
organisational culture on risk management. A common definition is:
 The norms and traditions of behaviour of individuals and of groups within an organisation that
determine the way in which they identify, understand, discuss, and act on the risks the
organisation is exposed to and the risks it takes.
 A simpler one might be:
 “Risk culture is what happens in the bank when no one is looking that affects how risk
management is practiced”
 Conduct is defined generally as the manner in which a person behaves, especially in a
particular place or situation.
 The focus on conduct is important in banking, where the knowledge imbalance
between financial service provider and customer is marked.
 A common definition of Conduct used in financial services is:
 any action of a regulated firm or individual that impacts customers, market stability or effective
competition
 Again the author prefers:
 “What happens in the bank, which affects our customers and other external stakeholders,
when no one is looking”

35
Firm culture, risk culture and conduct
 The Protecht Group illustrate the interplay between these three areas with the following exhibit:
 Personally, I prefer my diagram>>>
Firm Culture
Risk Culture
Conduct

36
Risk culture
 Regarding culture:
 at Board level risk management and control must be given adequate time;
 Board and its members take their regulatory and fiduciary responsibilities
seriously; ideally at Board level there is an appetite to ensure that the risk
framework “front runs” the business growth and agenda;
 at Executive level the picture should be similar, with C-suite reflecting the
approach above.
 At Board level there is extensive expertise with the Chairman, Chair of
Audit, Chair of Risk and Chair of ALCO contributing strongly in this
area.
 At Executive level the C-suite is experienced over the business cycle
 The bank recognises good practice internally and seeks to replicate it
across business areas
 The bank identifies good practice externally that would provide additional
benefit to it
 The bank reflect the experience of risk culture and practice both in 2LoD
reviews and in 3LoD reports

Team building
Relevance to risk management

38
Well-led teams are part of a good risk culture
 Well functioning teams assist an effective risk culture
 A team that works well together will see a common, shared objective in
their endeavour – being part of a well-managed bank – and this
generates a sound risk culture
 The key to well-functioning teams is effective leadership….
 …that fosters a genuine common shared objective goals and work
ethos
 Very few books on “Leadership” translate effectively to an office
environment
 One such book is Rinus Michel’s “Teambuilding: the road to success”

39
Total Treasury: The “Total Team”
concept
RBS “Project Bluebird” (2013-14) Treasury Doctrine
Everyone is involved in all tasks
No single-person dependencies
Open, collaborative and challenging environment
Effective upward and downward delegation
Supportive, genuine teamworking ethos
Open access: no cliques, no inner circles, no favourites
Genuine, straight speaking: no consultant-speak

40
Team building thru leadership

41
Risk Culture: a Case Study
 PRA fines MS Amlin Underwriting Limited £9,695,000 for failings in its governance,
controls and risk management
 https://www.bankofengland.co.uk/news/2022/october/pra-fines-ms-amlin-underwriting-limited
 18th October 2022
 In the Executive Summary the PRA say that MSAUL failed in its risk management
because
 i) there wasn’t a strong risk culture;
 ii) the 1st and 2nd lines of defence were “blurred”;
 iii) they failed to remediate deficiencies identified.
 The PRA goes on to say the firm failed to organise and control their affairs responsibly
and effectively because i) underwriting governance was fragmented; ii) underwriting was
presented at such a high level the Board could not effectively challenge it; iii) MI was
inadequate.
 Lessons for us all speak to having the right “Risk Culture” in a firm:
 1- Policies only protect you if you actually follow those policies.
 2- having a 3LoD only works well if you actually act on 2LoD and 3LoD
recommendations

Risk Culture:
“Lessons Learned” in 2023
Case Studies in (Risk) Culture and Competence

Re-learning the importance of Bank Asset-
Liability Management:
US bank failures and ALM lessons
(re)learned

44
Is this a new kind of bank collapse….?
….or did their failure all have something in common?
 “Do you remember the case, Gregson?”
 “No, sir.”
 "Read it up - you really should. There is
nothing new under the sun. It has all been
done before.”
--- Sherlock Holmes, A Study in Scarlet,
1887 (Sir Arthur Conan Doyle)

45
SVB: timeline of events
Source: ICAEW 2023
• 24th of February annual results released to market
• 1st of March Moody’s Investors Service communicate news to SVB of a likely ratings downgrade
• 8th of March ….
• The Bank’s holding company announced it was conducting a capital raise
• Bank announces a loss of approximately $1.8 billion from a sale of bond and mortgage back
securities portfolios
• Moody’s downgrades SVB Financial - senior unsecured to Baa1 from A3
• 9th of March
• Investors and depositors reacted by initiating withdrawals of $42 billion in deposits from the Bank
• Stock price plummets, 60% lower by the end of trade
• At the close of business on March 9, the bank had a negative cash balance of approximately
$958 million
• Despite attempts from the Bank, with the assistance of regulators, to transfer collateral from
various sources, the Bank did not meet its cash letter with the Federal Reserve
• The bank is now insolvent.

46
These banks’ failure is being blamed on the rise in interest rates…
 This chart seems to be implying something scary and
“unprecedented”….
 Fed Funds Rate: 20-year view:
Source: ICAEW 2023

47
But it isn’t “unprecedented”…know your
market history!
 Fed Funds rate: 40-, 50- and 60-year history
Source: Wikipedia.

48
Catalyst exposing a flawed ALM discipline
 SVB didn’t hedge it’s banking book interest-rate risk (see Appendix)
 Unlike EU and UK banks, it wasn’t obliged to follow Basel III guidance on
interest-rate risk in the banking book
 But interest-rate risk management is not a “new” discipline for a bank to follow
 The Author was using the standard “DV01” method (conceptually identical to
the IRRBBB “EVE” metric suggested by the Basel Committee) to manage IRR
of bond positions at Hoare Govett Securities back in 1992….
 There was nothing to stop SVB from managing its IRR….
 ….except its poor risk culture
 Or manage its liquidity risk.
 These are standard segments of asset-liability management (ALM)
discipline
 But first…
 …what is this “ALM” discipline?

49
Asset-Liability Management in banks…
• Reactive process following product
origination by the customer facing
business
• Managing liquidity, funding and interest
rate risk generated by the business
lines
• Proactive and integrated balance
sheet management framework
• ALM approach to solve a multi-
dimensional optimisation problem
• Strong profitability enhancer
...is clearly not a new discipline! It’s been around for a while!
The core of ALM discipline as practiced by banks worldwide for over 50 years is the
management of liquidity and funding risk and non-traded interest rate risk (‘IRRBB’)
1945-74
Abundance of funds in banks and stable rates
In the form of CASA – ALM mainly focused
on asset management
1975-2008 Post-2010
Reactive ALM –
Management of
FX/IR risks
Proactive ALM – interaction
between ALM and BU,
integrated management of b/s
origination and financial risks
© Beata Lubinska 2020. Used and adapted with permission.

50
Managing a bank’s balance sheet
 The general term “asset and liability management” entered common usage in banking
from the mid-1970’s onwards.
 It was defined in terms of four key concepts, managed at the aggregate balance sheet
level:
 Liquidity risk:
 Principally: funding liquidity, the continuous ability to maintain funding for all
assets
 Term structure of interest rates: the shape of the yield curve at any one time and
expectations as to its shape in the short and medium term impact ALM strategy of a
bank.
 The maturity (“gap”) profile of the book
 Interest-rate risk (first- and second-order)
 Risk of changes in asset-liability present value due to changes in interest rates.
 Risk of negative impact on net interest income due to changes in market interest
rates
 SO: “ALM” is a core of banking practice that is at least 50 years old
 It isn’t a new discipline. It’s a time honoured art
 How does a bank get to the point where ALM is not implemented in a best-practice
way?

51
Mix:
• 3 parts poor corporate governance
• 2 parts poor risk management
• 1 part lax regulatory supervision
Adapted from slide © ICAEW 2023.
SVB: Cocktail for a banking failure
The author’s cocktail is slightly different:
I would add: 5 parts non-existent risk culture. This is distinct from “poor risk
management” – it’s poor risk culture that drives poor risk management
practice
I would remove “lax regulatory supervision”. The level of supervision is
irrelevant if one can’t get even the basics right…

52
SVB corporate governance
• Risk Committee – lack of
banking and risk
management experience
• Chief Risk Officer –
absent for most of 2022
• Supervisory findings >> "The examination identified fundamental weaknesses in board effectiveness, risk
management, and internal audit—three areas critical to the safety and soundness of financial
institutions"
Slide © ICAEW 2023.

53
Risk management (or the lack thereof)
• Concentration risk
• Liquidity risk
• Interest rate risk
"In both cases, the bank changed its own risk-
management assumptions to reduce how these risks
were measured rather than fully addressing the
underlying risks."
"The full board of directors did not receive adequate
information from management about risks at Silicon
Valley Bank and did not hold management
accountable for effectively managing the firm’s risks."
Slide © ICAEW 2023.

54
The original sin
 Every bank in the USA (not to mention in UK and EU) had to deal with
and manage the rise in interest rates during 2022 and 2023
 The large majority of them didn’t go bust!
 The impact of rising rates exposed a flawed funding model at Silicon
Valley Bank (as it did at Signature Bank and was shortly to at First
Republic Bank)…

55
Concentrated funding structure
 SVB deposit customers were
concentrated excessively in
what the UK FSA used to call
“Type A” deposits and
depositors
 Large corporates, often non-
bank FI entities
 High proportion of
“uninsured” deposits
 These are not to be
considered as “stable” funding
 But let’s take a step back…
Source: ICAEW 2023

56
Liquidity risk management
 In the UK we have the concept of “Pillar 2 liquidity”, guidance from the PRA from 2016
 Amongst other things, it addresses:
 Those risk types addressed by the FSA ILAA regime not covered by Liquidity Coverage Ratio (LCR)
 Those risk types not covered by LCR and not previously covered by ILAA
 These include:
 Funding maturity mismatch beyond a 30-day tenor (up to 90 days minimum)
 Concentration of funding
 There is no “Pillar 2” or equivalence for non-systemic banks in the USA
 SVB had a high concentration of funding:
 Concentration by depositor type (one commentator described them as “Crypto and VC @-----”)
 Concentration by contractual maturity
 Concentration by product type
 SVB was not obliged to report NSFR and LCR
 In any case, we note that SVB’s LCR at the time it attempted a Rights Issue was ~71%...below the 100%
Basel III minimum
 Once the bank run started, the bank was doomed
 But the funding structure itself was always more vulnerable to a bank run following loss of
confidence than a bank that followed “Pillar 2” discipline
 This caused failure…the loss of confidence that leads to a bank run was not mitigated in any way

57
SVB Governance structure
 SVB’s asset-liability committee (ALCO) reported into the “Finance
Committee”
 The Finance Committee reported into the Board, or, depending on your
media source, the Board Risk Sub-Committee
 As we have observed with bank failures in 2007-09, this (orthodox and
very common) operating model places genuine understanding of the
balance sheet – and its risk sensitivity to changes in market
factors – too far away from the Board
 Every failed bank in 2007-08 and 2023 exhibited this similar balance
sheet management governance framework (which is one thaty most
regulatory authorities expect to see)…
 …the orthodox governance framework for managing the balance sheet
doesn’t have a very good track record does it?!

58
ALCO governance framework - traditional
 The traditional Board ALCO governance framework operating model
has been shown to be ineffective when considering failed banks!
Board of Directors Executive Committee
(ExCo)
Assetand LiabilityCommittee
(ALCO)
Executive Risk Committee ManagementCommittee
Executive Credit
Commitee
Board Audit &
Risk
Committee
Balance SheetManagement
Committee
(BSMCO)

59
ALCO and distance from the Board
Article from European Financial Review (2017): http://www.europeanfinancialreview.com/?p=17469

60
“The Principles of Banking, 2nd edition (2022) Figure 9.7
 The recommended Board, BRC, Exco and ALCO operating model:
reflects paramount importance of the ALCO in the overall ERM and
prudential regulation compliance process
Board of Directors
Executive Committee
(ExCo)
Assetand LiabilityCommittee
(ALCO)
Executive Risk Committee Executive Credit
Commitee
Board Audit &
Risk
Sub-Committee
Balance SheetManagement
Committee
(BSMCO)
So we need this one:

Credit Suisse
Slipping from one banana skin to another….and
another….

62
Credit Suisse risk culture
 The news stories around this particular “G-SIFI” bank had not been
particularly positive for some years now
 It reminds one of this quote from The Importance of Being Earnest, a
novella published in 1895…

63

64
Archegos hedge fund and Credit Suisse
 The slides related to CS and Archegos hedge fund summarise the
conclusions from a review of this event by Orbit360 (author: Andreas
Ita, Faculty BTRM). Reference is:
 https://www.orbit36.com/credit-suisses-archegos-case-fundamental-
questions-remain-unanswered/
 The question everyone should ask (and ideally answer) is:
 “How is it that a Tier 1 G-SIFI bank that has been the subject of intense
regulator scrutiny (as have all SIFI banks) since the implementation of Basel
III guidance was still able to suffer extensive losses as a result of the failure
of a single market counterparty?

65
Credit Suisse’s Archegos case – fundamental
questions
 Following the $5.5bn loss with hedge fund Archegos, the Board of Directors of
Credit Suisse appointed a Special Committee to conduct an independent external
investigation of the case. The results of the review performed by US law firm Paul,
Weiss, Rifkind, Wharton & Garrison LLP and its expert advisors are summarised
in a report published by Credit Suisse on July 29th, 2021.
 The report finds a failure to effectively manage risk in the Investment Bank’s
Prime Services business by both the first and second lines of defence as well as a
lack of risk escalation.
 This report dates from 2021. 2021….!
 Yet in 2023 the bank failed and was taken over by UBS…
 …seemingly nothing much had been done to address risk management and poor
risk culture failings
 NOTE: the hedge fund was a customer of the bank’s prime brokerage service.
Further detail on this affair in the Appendix

66
CS and the Archegos affair
 Orbit360 state in their article:
 Did Credit Suisse’s Board of Directors forget the lessons from the 2008/2009
financial crisis? A key lesson learned was that banks need to price the risks they
take appropriately and that investment bankers should be given the right
incentives.
 We show that the highly-leveraged total return swaps with Archegos were likely
not profitable enough to compensate shareholders for the risk taken. We
estimate that the expected return on allocated equity capital was only between
5%-6% post tax and thus well below the Cost of Equity rate.
 Possibly, Credit Suisse’s traders were motivated to enter into the trades
with Archegos because their personal compensation was linked to a
measure which did not take risk into account.
 The incident at Credit Suisse is a renewed wake-up call for bank board
members to review the compensation schemes for management and key risk
takers in their firm. We believe that this could be a wider industry challenge.
 We conclude: this is clear evidence of a poor risk culture in the bank that
has remained unchecked for several years. And that caught up with them…

67
Credit Suisse and risk culture
 Banking is, first and foremost, confidence (see CS CDS price in Appendix)
 A loss of confidence will lead, very quickly, in a loss of viability which
leads inevitably to failure and resolution
 It is clear that the Board and senior executive at Credit Suisse were
unable – or possibly unwilling – to address the kind of risk management
environment that enabled the bank to lurch from one bad news story to
another
 Yet the author can attest personally (one or two of his friends work
there!) to the fact that, optically, and on the surface, the bank’s “risk
management framework” was as comprehensive and all-
encompassing as any one would observe anywhere, at any bank.
 In theory the bank’s Risk Management Framework was fit for purpose
 In practice, it wasn’t….

68
The answer is not
further regulation….
…it is better risk culture
That is something that,
ultimately only a bank
itself can address

69

70
70
Taking personal responsibility: in the UK it’s formal (the “SMCR” regime)
Source: Patrick Ferguson, former
CRO, Recognise Bank Ltd

71
71
Integrity (CR1), Due skill
(CR2), Well controlled
(SM1), Regulation (SM2),
Open and Transparent
(SM4)
Due skill (CR2), Regulation
(SM2)
Due skill (CR2), Regulation
(SM2)
Integrity (CR1), Due skill
(CR2), Well controlled
(SM1), Regulation (SM2),
Open and Transparent
(SM4)
Source: Patrick Ferguson, former
CRO, Recognise Bank Ltd
CR2, SM1, SM2
Taking personal responsibility: in the UK it’s formal (the “SMCR” regime)

72
Conclusion
 The Author has published previously (see Reference slide, Chapter 18)
a recommended good-practice risk management framework (RMF)
 The components of an RMF in a bank are straightforward and generally
not complex to implement
 What the events of 2023 have demonstrated is that simply having an
RMF in place, while necessary, is not sufficient to prevent bank failure
 For an RMF to be effective, and to prevent failure for firm-specific
reasons, its operation must be undertaken within an environment that
promotes and fosters effective risk culture
 This is much harder to write about than the theory…

73
The Final Word
 How can we embed the right “risk culture” in banks?
 The answer is not “more regulation”….regulation is not culture, it is
process and bureaucracy (of course this is not to diminish the vital role and
importance of regulation in ensuring banking sector systemic safety)
 In the author’s view, two things will help:
 We adopt a view that “we are ALL risk managers.” Managing risk is not the role
of only the 2LoD or Compliance department
 Only individuals who have demonstrated a track record of commitment to
implementing a sound risk culture in banks should be elevated to positions of
executive seniority in banks
 The following slide is part of the “Afterword” to The Principles of Banking,
2nd Edition….
 …and speaks to “risk culture”
 “The first principle of good banking…is to have principles.”
 The Author

74

75
Recommendations for effective risk culture
 They were at the beginning! In the Agenda….
 1- only individuals who have demonstrated an observable, peer-confirmed track record of
commitment to implementing a sound risk culture in banks should be elevated to positions of seniority
in banks
 2- Act on and make real the bank's formal risk management policies
 Simplicity, succinctness and clear language at all times, in policy documents and process maps
 Senior executives must lead from the front in building a team culture that emphasises a common and
shared goal. Remuneration policy is part of this…
 Clear, accurate and succinct MI that is actually read by all senior execs
 Genuine technical knowledge and expertise exhibited by the C-suite and the Board Directors
 Governance framework (committee structure) that is effective and reviewed as such regularly; principally
demonstrated through an open discussion and debate culture at committees where all attendees views
are heard and encouraged, consensus is built and the Chair positively drives such a culture
 3- Embed risk management processes into the firm’s daily practice through an effective risk culture
 See slides 32-40…!
 Embedding the role and influence of 2nd Line of Defence and 3rd Line of Defence within the business
 Act on their recommendations!
 3LoD should be internal to the firm and not outsourced, so that they are better aware of the actual risk culture of
the bank
 Complete this picture: _________________ [firm-specific]

76
REFERENCE
 The Principles of Banking, 2nd Edition, John Wiley & Sons 2022,
Chapters 18-21
 https://www.amazon.com/Principles-Banking-Wiley-Finance/dp/1119755646/

78
SVB: Interest-rate Repricing Gap – 2021 NII
-110
-90
-70
-50
-30
-10
10
30
50
70
90
110
1 2 3 4 5 6 7 8 9 10
$bn
Repricing Gap - No Hedging
-110
-90
-70
-50
-30
-10
10
30
50
70
90
110
1 2 3 4 5 6 7 8 9 10
$bn
Repricing Gap - With Hedging
Fixed assets give
+1.5% return
Funding costs -0.5%
Assets = 1.5%
Funding = -0.5%
Receive-Floating Leg = N/A
Pay-Fixed Leg = N/A
Net Interest Income = 1%
Assets = 1.5%
Funding = -0.5%
Receive-Floating Leg = 0.5%
Pay-Fixed Leg = -1%
Net Interest Income = 0.5%
Pay-fixed on the swap
of -1%
Receive-floating of
+0.5% on the swap
Slide © Claire Trythall 2023

79
SVB: Interest-rate Repricing Gap – 2023 NII
-110
-90
-70
-50
-30
-10
10
30
50
70
90
110
1 2 3 4 5 6 7 8 9 10
$bn
Repricing Gap - No Hedging
-110
-90
-70
-50
-30
-10
10
30
50
70
90
110
1 2 3 4 5 6 7 8 9 10
$bn
Repricing Gap - With Hedging
Fixed assets give
+1.5% return
Funding costs -4%
Assets = 1.5%
Funding = -4%
Receive-Floating Leg = N/A
Pay-Fixed Leg = N/A
Net Interest Income = -2.5%
Assets = 1.5%
Funding = -4%
Receive-Floating Leg = 4%
Pay-Fixed Leg = -1%
Net Interest Income = 0.5%
Pay-fixed on the swap
of -1%
Receive-floating of
+4% on the swap
A similar balance sheet
structure to that
observed in the “S&L”
sector in the early
1980s
Slide © Claire Trythall 2023

80
Credit Suisse: Why was a 20bn exposure unknown to the top
management and Board of Directors?
 For reasons unknown (but which can be (educated) guessed at, Credit Suisse’s top
management and Board of Directors was unaware of the bank’s $20bn exposure towards a
single client. According to their report, Archegos appeared only once in board materials, on
December 7th, 2020 in the Group Risk Report Appendices, “mentioned only in passing on
crowded slides alongside numerous other counterparties and without any particular attention
drawn to it”.
 Orbit360 believe that Archegos exposure was difficult to detect in reports typically available to
Board and Executive Committee members. Synthetic Financing in Prime Brokerage occurs
through a structure under which the bank takes the underlying shares on its own book and
passes the P&L via a Total Return Swap (TRS) to the client. TRS is transacted under an ISDA
 Since the bank is fully hedged against market risk (the shares and the TRS offset each other),
the position creates zero Market Risk RWA and is also not visible in the Value-at-Risk (VAR).
 On the balance sheet, the replacement value of the TRS is recognized as asset (positive value)
or liability (negative value). The replacement value is only a fraction of the deal’s notional size,
highly volatile and initially zero. Because of collateraliasation and netting arrangements, positive
replacement values due by derivatives counterparties do not attract a lot of attention.
 Abrupt price fluctuations in the underlying shares can change replacement values quickly.
Counterparty Credit Risk (CCR) therefore needs to consider in addition the Potential Future
Exposure (PFE) of derivatives transactions. This requires the use of complex models for risk
management and capital adequacy purposes, including Monte Carlo simulations to determine
Exposure at Default (EAD). With RWA of ~$20bn and Credit Suisse’s overall RWA of $275bn
end of 2020, the Archegos exposure appeared therefore not very material from a Group’s
perspective and, consequently, did not get the necessary attention.

81
Credit Suisse: Did the legal entity booking model obstruct
regulatory stress tests?
 Complex group legal entity structures are ALWAYS difficult to infuse with a universal and
appropriate risk culture
 To quote Orbit360 (exhibit below reproduced with permission of Orbit 360),
 We believe that Credit Suisse’s legal entity booking model for OTC derivatives concealed exposures in
regulatory stress tests at entity level and gave the bank a capital advantage over peers subject to more
stringent stress capital requirements.
 The Paul Weiss report mentions that CS traders in the US remotely booked trades into a UK legal entity.
From December 2020, the TRS transactions with Archegos were held in Credit Suisse International (CSI),
a UK banking entity used as a global hub for the Group’s derivative products. The TRS exposures in CSI
were in so called back-to-back transaction internally transferred to CS Capital LLC, a SEC registered OTC
derivatives dealer in the US. To hedge its market risk exposure, CS Capital LLC bought and held the
underlying shares on its own accounts.

82
Credit Suisse: Why was the Investment Bank not challenged for
the insufficient profitability of the transactions?
 According to the Paul Weiss report, the bank generated with Archegos revenues of $8.5mn
in 2019 and $17.4mn in 2020. Even with significantly increased annualized revenues of $40
million in 2021, the revenues did not cover the bank’s cost of equity capital and stood in
no relation to the effective loss potential of the transactions.
 This indicates that Credit Suisse had inadequate frameworks for performance
management and risk-adjusted compensation in place. As a consequence, the bank’s
top management and Board of Directors might not have been in a position to challenge the
insufficient profitability, so that the business had incentives to accept transactions which did
not create any value for shareholders and provided the firm a bad risk-reward trade-off.
 Orbit360:
 Our considerations suggest that the Board of Directors of Credit Suisse should not
solely focus on the strict implementation of the recommendations of the Paul Weiss
report, but also revisit the firm-wide frameworks and methodologies which ensure that
the decision makers at Group level have all the relevant information for risk
management and the steering of the bank at hand.

83
Credit Suisse: Clear sign of market disenchantment
 A rising credit default swap (CDS) price - especially when compared to
one’s peers – is never a good sign…
 On 28 March 2023 the average EUR CDS price for banks was ~80bps
 Where was CDS at this point?
Source: Prof. Mario Cerrato,
University of Glasgow

84
Credit Suisse: CDS price up to its demise
 Off the chart!

85
DISCLAIMER
The material in this presentation is based on information that we consider reliable, but we do not
warrant that it is accurate or complete, and it should not be relied on as such. Opinions expressed
are current opinions only. We are not soliciting any action based upon this material. Neither the
author, his employers, any operating arm of his employers nor any affiliated body can be held liable
or responsible for any outcomes resulting from actions arising as a result of delivering this
presentation. This presentation does not constitute investment advice nor should it be considered
as such.
The views expressed in this presentation represent those of the lecturer in his or her individual
private capacity and should not be taken to be the views of any employer or any affiliated body,
including any bank that employs any member of the BTRM Faculty, or of the lecturer as an
employee of any institution or affiliated body. Either he/she or his/her employers may or may not
hold, or have recently held, a position in any security identified in this document.
This presentation is © BTRM / Moorad Choudhry 2014, 2023. No part of this presentation may
be copied, reproduced, distributed or stored in any form including electronically without express
written permission in advance from the author.

Bank Risk Management and Risk Culture

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Bank Risk Management and Risk Culture

Similar to Bank Risk Management and Risk Culture (20)

Recently uploaded

Recently uploaded (20)

Bank Risk Management and Risk Culture